Security reminder (WordPress)

WordPress based sites have been attacked by a large botnet lately. We use an advanced security system to block these kind of attacks. We protect most popular sofware like WordPress from Brute-force attacks. However, if the password used is too weak, successful attacks can still occur. This current attacks have had over 100,000 IP addresses involved doing the attack.

Below is a list of things one can do to protect the WordPress admin

Password with enough strength

  • At least 8 characters
  • Includes large and small letters, numbers and special characters

Two-step-authentication:

http://en.blog.wordpress.com/2013/04/05/two-step-authentication/

IP based .htaccess protection:

Create a .htaccess-file to wp-admin folder (/wp-admin/.htaccess) and attach the following:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress protection”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# Mat’s allowed IP-address
allow from xx.xx.xx.xxx
# May’s allowed IP-address
allow from xx.xx.xx.xxx
</LIMIT>
 

Change xx.xx.xx.xx with your own IP-addresses.

.htaccess password protection:

Create a .wpadmin file in your home folder:

/home/kayttajatunnus/.wpadmin

Create the code for the .wpadmin file in the address:

http://www.htaccesstools.com/htpasswd-generator/

After this create a /home/username/.htaccess file ja attach the following (change username with your own username:

ErrorDocument 401 “Unauthorized Access”
ErrorDocument 403 “Forbidden”
<FilesMatch “wp-login.php”>
AuthName “Authorized Only”
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user
</FilesMatch>

Please contact us for more information or help with this matter.

18.04.2013

|